Linux backdoor planted on company network to steal data

During an investigation into how a breach occurred at a large internet hosting provider, researchers found a Linux backdoor capable of stealing login credentials from secure shell connections.

The Trojan, named “Fokirtor”, was found on the company’s network. The breach which was being investigated happened in May and exposed the login credentials of customers.

Even though the passwords were hashed and salted, Symantec researches revealed that by using the Fokirtor Trojan, attackers could have accessed the encryption key that secured the organisation’s internal communications.

The Fokirtor Trojan targets users of the Linux operating system.

A blog post released by the company who suffered the breach said “This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,”, later adding that the Trojan, instead, injected itself into the organization’s SSH process to extract encrypted commands.

Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.